topic Re: FTD can't reach the internet or the router in Network Security

FTD can't reach the internet or the router

moha27med — Sat, 18 Feb 2023 13:44:49 GMT

Hello Guys
I made this Lab in Gns3 to prepare myself for my CCNP Security exam
Everything work fine, I configure the FTD through FMC, I gave IPs for outside & inside interfaces
also, I have configured NAT and Static route, the issue is that FTD can't reach the internet (so I can't ping to 192.168.122.1)
really I don't know what is the problem, maybe could someone help me

UPDATE: there is no Problem with INTERNET ISP, I have tested with router and PC is pingable

Re: FTD can't reach the internet or the router

MHM Cisco World — Fri, 17 Feb 2023 18:05:21 GMT

I think thr issue is in NAT cloud not in FTD.

Re: FTD can't reach the internet or the router

Karsten Iwen — Fri, 17 Feb 2023 18:50:42 GMT

You do not state how you tested. Regardless of any configuration problem in access-control, routing and NAT, you should be able to ping the next hop from the FTD itself.

Try if that works and if not, post the output of:

show int ip brief show run route show route show arp

Re: FTD can't reach the internet or the router

georgipetrov — Sat, 18 Feb 2023 12:58:40 GMT

I once had this issue, if you configured NAT and the route is fine, you might need to clear the ARP cache with ISP.

Edit: Noticing now you mentioned its a lab - in this case forget ISP

Re: FTD can't reach the internet or the router

moha27med — Sat, 18 Feb 2023 13:42:42 GMT

no cuz i tested the NAT cloud with router and PC, so there are no problems with it

Re: FTD can't reach the internet or the router

MHM Cisco World — Sat, 18 Feb 2023 13:59:25 GMT

can I see the route in FTD toward the NAT cloud ? <<- you already share the show route
can you use wireshark between FTD and cloud
see if the FTD get ARP reply for it ARP request

Re: FTD can't reach the internet or the router

moha27med — Sat, 18 Feb 2023 13:49:16 GMT

See the attachment pls, these are the outputs

Re: FTD can't reach the internet or the router

Marius Gunnerud — Sat, 18 Feb 2023 13:57:58 GMT

How is GNS3 installed? Is it on a Linux, Windows, VM ?

In either of these cases, my first thought would be that the Host device where GNS3 is running is not sharing its network interface with GNS3.

Re: FTD can't reach the internet or the router

Karsten Iwen — Sat, 18 Feb 2023 13:59:08 GMT

The config looks good so that you should be able to ping the default gateway from the FTD CLI. But with the ARP table empty it is most likely that you messed up you connection between FTD and Default-Gateway inside of GNS3.

Re: FTD can't reach the internet or the router

moha27med — Sat, 18 Feb 2023 14:00:56 GMT

It is on VM, but there is no problem with Network, because i tested already with the router and pc in the lab (can see it beside the diagram)

Re: FTD can't reach the internet or the router

moha27med — Sat, 18 Feb 2023 14:06:49 GMT

this is the output of Wireshark between FTD and Cloud, it looks like there are no connection between, right?

Re: FTD can't reach the internet or the router

MHM Cisco World — Sat, 18 Feb 2023 14:07:13 GMT

If you not see ARP reply then simple solution to complete your lab is
add router between the cloud and FTD
then confing NATing in router.
it is some GNS limitation I think

Re: FTD can't reach the internet or the router

Marius Gunnerud — Sat, 18 Feb 2023 14:20:42 GMT

I am not saying there is a problem with the network, I am saying there is a problem between GNS3 and the host interface. Have you tried assigning the virtual interface to a virtual PC on the VMware host and test from it? I suspect that this will also not work.

But you say that this is VMware, is there a switch between the VMware host and 192.168.122.1? If yes how is the switch port configured (trunk, access-port)?

Re: FTD can't reach the internet or the router

MHM Cisco World — Sat, 18 Feb 2023 14:22:10 GMT

no there is but the arp is missing.
please use workaround as I write below and check again.

Re: FTD can't reach the internet or the router

moha27med — Mon, 20 Feb 2023 11:09:06 GMT

I found the Problem, the issue in FW FTD, it can't ping to all direction also to Inside and DMZ.
There is a ping between Router and Internet,
but i still don't know why the FW doesn't ping at all, I check the ACL, but there are no restrictions

Re: FTD can't reach the internet or the router

moha27med — Mon, 20 Feb 2023 11:12:59 GMT

UPDATE!!!
I found the Problem, the issue in FW FTD, it DOESN'T ping to all direction also to Inside area and DMZ.
There is a ping between Router and Internet,
but I still don't know why the FW doesn't ping at all, I check the ACL through FMC, but there are no restrictions;

Re: FTD can't reach the internet or the router

MHM Cisco World — Mon, 20 Feb 2023 11:26:08 GMT

Configure ICMP Access Rules

By default, you can send ICMP packets to any interface using either IPv4 or IPv6, with these exceptions:

The FTD does not respond to ICMP echo requests directed to a broadcast address.
The FTD only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface.

To protect the device from attacks, you can use ICMP rules to limit ICMP access to interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action.

If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

We recommend that you always grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process.

Before you begin

Ensure that the objects needed in the rules already exist. Select Objects > Object Management to configure objects. You need network objects that define the desired hosts or networks, and port objects that define the ICMP message types you want to control.

Procedure

Step 1	Select Devices > Platform Settings and create or edit the FTD policy.
Step 2	Select ICMP.
Step 3	Configure ICMP rules. Click Add to add a new rule, or click Edit to edit an existing rule. Configure the rule properties: Action—Whether to permit (allow) or deny (drop) matching traffic. ICMP Service—The port object that identifies the ICMP message type. Network—The network object that identifies the hosts or networks whose access you are controlling. Security Zones—Add the zones that contain the interfaces that you are protecting. For interfaces not in a zone, you can type the interface name into the field below the Selected Security Zone list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones. Click OK.
Step 4	(Optional.) Set rate limits on ICMPv4 Unreachable messages. Rate Limit—Sets the rate limit of unreachable messages, between 1 and 100 messages per second. The default is 1 message per second. Burst Size—Sets the burst rate, between 1 and 10. This value is not currently used by the system.
Step 5	Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Re: FTD can't reach the internet or the router

Sheraz.Salim — Mon, 20 Feb 2023 11:48:00 GMT

The purpose of the security appliance is to be silent and its not mandatory to respond to each single packet (arp/ip/dhcp) etc.

Most of the feature of FTD are inherited from ASA. as under the hood FTD is more like LINA and CLISH.